Google recently announced the launch of a new service called "OSV" (Open Source Vulnerabilities), which orprovides access to a database of information on vulnerabilities in open source software.
The service provides an API that allows automating the formation of requests to obtain information about vulnerabilities, with reference to the status of the repository with the code. Vulnerabilities are assigned OSV identifiers separate that complement the CVE with extended information.
En particular, the OSV database reflects the status of the problem solution, the confirmations are indicated with the appearance and repair of the vulnerability, the range of vulnerable versions, the links to the project repository with the code and the notification of the problem.
We are excited to release OSV (Open Source Vulnerabilities), our first step towards improving vulnerability classification for developers and consumers of open source software. The goal of OSV is to provide accurate data on where a vulnerability was introduced and where it was fixed, thus helping open source software consumers to accurately identify if they are affected and then make security fixes as quickly as possible. We have started OSV with a data set of fuzzing vulnerabilities found by the OSS-Fuzz service. The OSV project evolved from our recent efforts to improve open source vulnerability management ("Know, Prevent, Fix" framework).
Managing vulnerabilities can be painful for both consumers and maintainers of open source software, and in many cases involves tedious manual work.
The main purpose to create OSV is to simplify the process of informing package maintainers about vulnerabilities accurately identifying the versions and commits that are affected by the issue. The data present allows at the commits and tags level to track the manifestation of the vulnerability and analyze the susceptibility to the problem of derivatives and dependencies.
In addition to searching for vulnerabilities, it should also automate the search for affected versions. For this, the service is based on automated processes of impact analysis and bisection. The latter is used to find the confirmation that you introduced a particular bug in the project.
Anyone using an open source library can access OSV through an API and see if a particular version is affected by a found vulnerability. An API key from the Google API console is required for the query.
For consumers of open source software, it is often difficult to assign a vulnerability such as a Common Vulnerabilities and Exposures (CVE) entry to the package versions they are using. This is due to the fact that the version control schemes of the existing vulnerability standards (such as Common Platform Enumeration (CPE)) do not correspond well with the actual open source version control schemes, which are usually versions / tags and confirmation hashes. The result is overlooked vulnerabilities that affect downstream consumers.
For example, the API allows you to request information about the presence of vulnerabilities by confirmation number or program version. Currently, the database contains about 25 thousand problems identified in the automated fuzzing testing process in the OSS-Fuzz system, which covers the code of more than 380 open source projects in C / C ++.
We are planning to work with open source communities to scale with data from various language ecosystems (eg NPM, PyPI) and build a pipeline for package maintainers to submit vulnerabilities with minimal work.
In the future, it is planned to connect additional sources of information on vulnerabilities to the database. For example, work is being done to integrate information on vulnerabilities in projects in the Go language, as well as in the NPM and PyPl ecosystems.
Finally, if you want to know more about it, you can consult the following link.